Vendor Resources

Handbooks and Policies

Information Security Resources

Data Use Agreement

A Data Use Agreement is required for all covered or governmental entities performing business associate functions or who access certain types of confidential information that have specific regulatory requirements for privacy, security and breach notification.

HHS agencies must request these entities to execute a Data Use Agreement to contractually bind the entity to regulatory requirements and enforcement capability should the entity fail to protect HHS confidential information.

Texas HHS Security and Privacy Inquiry

The Security and Privacy Inquiry questionnaire includes a list of minimum HHS information security and privacy requirements needed prior to accessing HHS confidential information. An external entity must be able to confirm all requirements are "in-place" before being considered eligible to conduct business with HHS (additional information security and privacy requirements may apply).

The Security and Privacy Inquiry (PDF) is required by federal and state law to demonstrate minimum compliance with privacy and security regulations.

It is an attachment to the Data Use Agreement and must be completed by the vendor prior to the Data Use Agreement being executed.

Supplemental Health Information Technology Guide

The Office of the National Coordinator publishes the Privacy and Security of Electronic Health Information Guide (PDF) to help healthcare providers (especially HIPAA covered entities and Medicare eligible professionals) better understand how to integrate federal health information privacy and security requirements into their practices.

Risk Assessment Report and System Security Plan

The Risk Assessment Report is an annual requirement of TAC 202 that is completed by Vendors and submitted to HHS on a specific schedule. The RAR is also reviewed during a Security Assessment or upon request by the HHS CISO.

The System Security Plan is used to document the required information security and privacy controls and how they are implemented in the environments and devices associated with an information system. Vendors are required to keep this “living” document current as approved changes are made to information systems.

Vendors must also respond to a security documentation request of the RAR and SSP (necessary to confirm compliance) within 10 business days of the official request from the contract manager.

Security Assessment Report and Attestation Guidance

The Security Assessment Report is used to identify and document the current risk level of HHS information resources and systems. This report details how the HHS information resources and systems comply with applicable HHS information security controls. External entities must also attest they are compliant with all HHS information security control requirements.

Completion of Cybersecurity Training for Contractors (as part of HB3834)

As defined in Section 2054.5192 of the Texas Government Code, HHS shall require any contractor with access to HHS information (data) resources and systems to complete a cybersecurity training program certified by the Department of Information Resources.

The Contractor Written Acknowledgement of Completion of Cybersecurity Training Program.  This form must be completed and returned to the appropriate contract manager every new fiscal year no later than April 30th.

Find more information on the HB3834 Information Security/Cybersecurity Training Requirement for Contractors FAQ (PDF).

HHS Authorization to Operate

Texas Administrative Code 202.26 requires a senior organizational official to formally accept responsibility for any residual risk of an HHS information system and grant Authorization to Operate (ATO).

The Deputy Executive Commissioner will sign the ATO after an HHS information system has undergone a risk and security assessment confirming the system has met and passed all security and privacy requirements to become operational.

The Security Assessment Report and Attestation typically satisfies the ATO documentation of compliance, provided it contains the required information security controls. Any Plan of Action and Milestones, exceptions and contractual security agreements (i.e., Data Use Agreement, Security Privacy Inquiry) may also be required.

These documents must be submitted to HHS program office when an ATO is required and as outlined in the Security Assessment Report and Attestation Guideline. The HHS program office will initiate an ATO request by submitting the documents to the HHS CISO.

While the authorization package may not require the System Security Plan or Risk Assessment Reports to be submitted to HHS for an ATO, each document MUST be available upon a security documentation request (necessary to confirm compliance) within 10 business days of the official request from the contract manager.

Grant and HUB Resources

Grant resources may be found at https://hhs.texas.gov/doing-business-hhs/grants. For HUB resources, visit the HUB Procurement Resources page and the Toolkit for Business Development page.

DCS Service Delivery Resources

GlobalScape Navigation Help (PDF) — This document assists the SFTP (GlobalScape) user with general navigation while accessing the GlobalScape web transfer client.

Other Resources & Training

For video, recorded webinars and other training resources, visit the Vendor Training Center page.

Need More Help?

We are committed to working smart and working together for Texans. If you have additional questions about procurements, the procurement process, or need additional training, contact us at PCS_CST_HHSC@hhsc.state.tx.us.

Is there a resource missing? Contact Procurement and Contracting Communications at PCS_Communications@hhsc.state.tx.us.